Google to shift UK user data to the US post-Brexit

Google plans to migrate UK user accounts from Ireland to the US following Britain’s withdrawal from the EU.

The sensitive data of tens of millions of users could be shifted away from Ireland, where it currently resides, according to Reuters. That's believed to be amid concerns from Google that the UK will loosen its data protection laws and fail to agree on a data-sharing agreement with EU, potentially making it difficult to transfer data between Ireland and the UK.

The migration will involve asking UK users to agree to new terms of service, which includes consent to holding their data under the new jurisdiction.

The move could mean UK authorities are better able to recover data for criminal investigations, thanks to the CLOUD Act that has made cross-border data transfers much easier. However, it raises concerns as the US has much weaker data protection laws than across the EU. While the Californian Consumer Privacy Act (CCPA), outlines some protections, there is no national federal data protection law with sufficient provisions akin to GDPR or the UK's Data Protection Act 2018.

According to the firm’s former global privacy technology lead, Lea Kissner, Google fears that the UK water will water down its data protection laws enough that it fails to reach an adequacy agreement with the EU. Without that agreement, data sharing will become more complex, and potentially require company by company contracts.

"There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy,” Kissner told Reuters. "Never discount the desire of tech companies not be caught in between two different governments."

Legal director with UK law firm TLT, Ed Hayes, told IT Pro that it's no surprise Google is looking at ways to move UK user data away from the EU, given that GDPR limits the ways companies can monetise data. "Google’s plans seem to assume the UK will water down its data protection standards once the Brexit transition ends," he said. "But that would contradict UK Regulations passed in 2019 to incorporate GDPR into UK law after transition, and government statements to date about continuing GDPR compliance.

"It could be that Google is betting the UK’s need for a quick US trade deal will see those commitments dropped, and is seeking to boost its bottom line by moving UK users’ personal data under US law," he adds. "However, if Google gets that wrong, and simply changes the location of UK users’ personal data while GDPR-equivalent laws still apply, it’s unlikely to achieve the goal of taking itself outside GDPR – GDPR’s reach is controlled by user location not just by data storage location."

The question of data flow post-Brexit has been the source of much confusion for businesses. During the current transition period, which will expire January 2021, the Information Commissioner’s Office (ICO) has made assurances that data flow between the UK and the EU will continue as normal.

The terms of the UK’s future relationship with the EU will determine whether critical business information can continue to flow seamlessly. The suggestions that a future trade agreement between the UK and the US could weaken data protection laws are partially reinforced by leaked documents released last year. According to preliminary trade discussions, the US is currently lobbying for an agreement to ease international data transfers underlined by a set of common standards, but not to the extent that domestic laws are harmonised.